> Second, I believe the law protects EU citizens regardless of where they are. If you're an EU citizen and register for a service somewhere in the US using VPN or while physically being outside the EU, that service/company will still need to comply.
If the controller or processor is established in the Union (regardless of where they actually process data), then GDPR applies to all processing of personal data regardless of citizenship or location of the data subject.
If the controller or processor is not established in the Union, GDPR applies to processing of personal data if (1) they are offering goods or services to data subjects in the Union, or (2) they are monitoring behavior of such data subjects that takes place in the Union.
See Article 3 for details.
If a US site that is not also established in the Union is trying to block access from the EU, and someone uses a VPN to get around that, the site would probably not be subject to GDPR, as they are probably not offering goods or services to data subjects in the Union. Recital 23 explains that offering goods or services means more than just their site can be reached from in the Union:
" In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. 3Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."
If the controller or processor is established in the Union (regardless of where they actually process data), then GDPR applies to all processing of personal data regardless of citizenship or location of the data subject.
If the controller or processor is not established in the Union, GDPR applies to processing of personal data if (1) they are offering goods or services to data subjects in the Union, or (2) they are monitoring behavior of such data subjects that takes place in the Union.
See Article 3 for details.
If a US site that is not also established in the Union is trying to block access from the EU, and someone uses a VPN to get around that, the site would probably not be subject to GDPR, as they are probably not offering goods or services to data subjects in the Union. Recital 23 explains that offering goods or services means more than just their site can be reached from in the Union:
" In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. 3Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."